From 03e6ae850ce718c008636bd8db093f453e62ccf3 Mon Sep 17 00:00:00 2001 From: Andrew Butcher Date: Thu, 12 Nov 2015 10:46:25 -0500 Subject: Refactor named certificates. --- playbooks/common/openshift-master/config.yml | 53 +++++++++++++++++++++++----- 1 file changed, 44 insertions(+), 9 deletions(-) (limited to 'playbooks/common/openshift-master') diff --git a/playbooks/common/openshift-master/config.yml b/playbooks/common/openshift-master/config.yml index b1da85d5d..8719d080d 100644 --- a/playbooks/common/openshift-master/config.yml +++ b/playbooks/common/openshift-master/config.yml @@ -204,14 +204,6 @@ validate_checksum: yes with_items: masters_needing_certs -- name: Inspect named certificates - hosts: oo_first_master - tasks: - - name: Collect certificate names - set_fact: - parsed_named_certificates: "{{ openshift_master_named_certificates | oo_parse_certificate_names(master_cert_config_dir, openshift.common.internal_hostnames) }}" - when: openshift_master_named_certificates is defined - - name: Compute haproxy_backend_servers hosts: localhost connection: local @@ -272,11 +264,54 @@ | map(attribute='stdout') | list) }}" +- name: Parse named certificates + hosts: localhost + vars: + internal_hostnames: "{{ hostvars[groups.oo_first_master.0].openshift.common.internal_hostnames }}" + named_certificates: "{{ hostvars[groups.oo_first_master.0].openshift_master_named_certificates | default([]) }}" + named_certificates_dir: "{{ hostvars[groups.oo_first_master.0].master_cert_config_dir }}/named_certificates/" + tasks: + - set_fact: + parsed_named_certificates: "{{ named_certificates | oo_parse_named_certificates(named_certificates_dir, internal_hostnames) }}" + when: named_certificates | length > 0 + +- name: Deploy named certificates + hosts: oo_masters_to_config + vars: + named_certs_dir: "{{ master_cert_config_dir }}/named_certificates/" + named_certs_specified: "{{ openshift_master_named_certificates is defined }}" + overwrite_named_certs: "{{ openshift_master_overwrite_named_certificates | default(false) }}" + roles: + - role: openshift_facts + post_tasks: + - openshift_facts: + role: master + local_facts: + named_certificates: "{{ hostvars.localhost.parsed_named_certificates | default([]) }}" + overwrite_additive_facts: "{{ overwrite_named_certs }}" + - name: Clear named certificates + file: + path: "{{ named_certs_dir }}" + state: absent + when: overwrite_named_certs | bool + - name: Ensure named certificate directory exists + file: + path: "{{ named_certs_dir }}" + state: directory + when: named_certs_specified | bool + - name: Land named certificates + copy: src="{{ item.certfile }}" dest="{{ named_certs_dir }}" + with_items: openshift_master_named_certificates + when: named_certs_specified | bool + - name: Land named certificate keys + copy: src="{{ item.keyfile }}" dest="{{ named_certs_dir }}" + with_items: openshift_master_named_certificates + when: named_certs_specified | bool + - name: Configure master instances hosts: oo_masters_to_config serial: 1 vars: - named_certificates: "{{ hostvars[groups['oo_first_master'][0]]['parsed_named_certificates'] | default([])}}" sync_tmpdir: "{{ hostvars.localhost.g_master_mktemp.stdout }}" openshift_master_ha: "{{ groups.oo_masters_to_config | length > 1 }}" openshift_master_count: "{{ groups.oo_masters_to_config | length }}" -- cgit v1.2.3 From 927e585bbeb049523313bacedc57efee2eacf232 Mon Sep 17 00:00:00 2001 From: Andrew Butcher Date: Mon, 16 Nov 2015 16:01:35 -0500 Subject: Add additive_facts_to_overwrite instead of overwriting all additive_facts --- playbooks/common/openshift-master/config.yml | 3 +- roles/openshift_facts/library/openshift_facts.py | 46 +++++++++++++++--------- 2 files changed, 31 insertions(+), 18 deletions(-) (limited to 'playbooks/common/openshift-master') diff --git a/playbooks/common/openshift-master/config.yml b/playbooks/common/openshift-master/config.yml index 8719d080d..ff1579218 100644 --- a/playbooks/common/openshift-master/config.yml +++ b/playbooks/common/openshift-master/config.yml @@ -288,7 +288,8 @@ role: master local_facts: named_certificates: "{{ hostvars.localhost.parsed_named_certificates | default([]) }}" - overwrite_additive_facts: "{{ overwrite_named_certs }}" + additive_facts_to_overwrite: + - "{{ 'master.named_certificates' if overwrite_named_certs | bool else omit }}" - name: Clear named certificates file: path: "{{ named_certs_dir }}" diff --git a/roles/openshift_facts/library/openshift_facts.py b/roles/openshift_facts/library/openshift_facts.py index 995d2c5fb..fc701d42b 100755 --- a/roles/openshift_facts/library/openshift_facts.py +++ b/roles/openshift_facts/library/openshift_facts.py @@ -864,13 +864,16 @@ def apply_provider_facts(facts, provider_facts): return facts -def merge_facts(orig, new, overwrite_additive_facts): +def merge_facts(orig, new, additive_facts_to_overwrite): """ Recursively merge facts dicts Args: orig (dict): existing facts new (dict): facts to update - overwrite_additive_facts (bool): overwrite additive facts + + additive_facts_to_overwrite (list): additive facts to overwrite in jinja + '.' notation ex: ['master.named_certificates'] + Returns: dict: the merged facts """ @@ -879,8 +882,14 @@ def merge_facts(orig, new, overwrite_additive_facts): for key, value in orig.iteritems(): if key in new: if isinstance(value, dict) and isinstance(new[key], dict): - facts[key] = merge_facts(value, new[key], overwrite_additive_facts) - elif key in additive_facts and not overwrite_additive_facts: + relevant_additive_facts = [] + # Keep additive_facts_to_overwrite if key matches + for item in additive_facts_to_overwrite: + if '.' in item and item.startswith(key + '.'): + relevant_additive_facts.append(item) + facts[key] = merge_facts(value, new[key], relevant_additive_facts) + elif key in additive_facts and key not in [x.split('.')[-1] for x in additive_facts_to_overwrite]: + # Fact is additive so we'll combine orig and new. if isinstance(value, list) and isinstance(new[key], list): new_fact = [] for item in copy.deepcopy(value) + copy.copy(new[key]): @@ -970,14 +979,15 @@ class OpenShiftFacts(object): role (str): role for setting local facts filename (str): local facts file to use local_facts (dict): local facts to set - overwrite_additive_facts (bool): overwrite additive facts + additive_facts_to_overwrite (list): additive facts to overwrite in jinja + '.' notation ex: ['master.named_certificates'] Raises: OpenShiftFactsUnsupportedRoleError: """ known_roles = ['common', 'master', 'node', 'master_sdn', 'node_sdn', 'dns', 'etcd'] - def __init__(self, role, filename, local_facts, overwrite_additive_facts=False): + def __init__(self, role, filename, local_facts, additive_facts_to_overwrite=False): self.changed = False self.filename = filename if role not in self.known_roles: @@ -986,26 +996,27 @@ class OpenShiftFacts(object): ) self.role = role self.system_facts = ansible_facts(module) - self.facts = self.generate_facts(local_facts, overwrite_additive_facts) + self.facts = self.generate_facts(local_facts, additive_facts_to_overwrite) - def generate_facts(self, local_facts, overwrite_additive_facts): + def generate_facts(self, local_facts, additive_facts_to_overwrite): """ Generate facts Args: local_facts (dict): local_facts for overriding generated defaults - overwrite_additive_facts (dict): overwrite additive facts + additive_facts_to_overwrite (list): additive facts to overwrite in jinja + '.' notation ex: ['master.named_certificates'] Returns: dict: The generated facts """ - local_facts = self.init_local_facts(local_facts, overwrite_additive_facts) + local_facts = self.init_local_facts(local_facts, additive_facts_to_overwrite) roles = local_facts.keys() defaults = self.get_defaults(roles) provider_facts = self.init_provider_facts() facts = apply_provider_facts(defaults, provider_facts) - facts = merge_facts(facts, local_facts, overwrite_additive_facts) + facts = merge_facts(facts, local_facts, additive_facts_to_overwrite) facts['current_config'] = get_current_config(facts) facts = set_url_facts_if_unset(facts) facts = set_project_cfg_facts_if_unset(facts) @@ -1143,12 +1154,13 @@ class OpenShiftFacts(object): ) return provider_facts - def init_local_facts(self, facts=None, overwrite_additive_facts=False): + def init_local_facts(self, facts=None, additive_facts_to_overwrite=False): """ Initialize the provider facts Args: facts (dict): local facts to set - overwrite_additive_facts (bool): overwrite additive facts + additive_facts_to_overwrite (list): additive facts to overwrite in jinja + '.' notation ex: ['master.named_certificates'] Returns: dict: The result of merging the provided facts with existing @@ -1166,7 +1178,7 @@ class OpenShiftFacts(object): basestring): facts_to_set[arg] = module.from_json(facts_to_set[arg]) - new_local_facts = merge_facts(local_facts, facts_to_set, overwrite_additive_facts) + new_local_facts = merge_facts(local_facts, facts_to_set, additive_facts_to_overwrite) for facts in new_local_facts.values(): keys_to_delete = [] for fact, value in facts.iteritems(): @@ -1196,7 +1208,7 @@ def main(): role=dict(default='common', required=False, choices=OpenShiftFacts.known_roles), local_facts=dict(default=None, type='dict', required=False), - overwrite_additive_facts=dict(default=False, type='bool', required=False), + additive_facts_to_overwrite=dict(default=[], type='list', required=False), ), supports_check_mode=True, add_file_common_args=True, @@ -1204,10 +1216,10 @@ def main(): role = module.params['role'] local_facts = module.params['local_facts'] - overwrite_additive_facts = module.params['overwrite_additive_facts'] + additive_facts_to_overwrite = module.params['additive_facts_to_overwrite'] fact_file = '/etc/ansible/facts.d/openshift.fact' - openshift_facts = OpenShiftFacts(role, fact_file, local_facts, overwrite_additive_facts) + openshift_facts = OpenShiftFacts(role, fact_file, local_facts, additive_facts_to_overwrite) file_params = module.params.copy() file_params['path'] = fact_file -- cgit v1.2.3 From 8741b61d46361deffd5d67a310f1995ae2217b77 Mon Sep 17 00:00:00 2001 From: Andrew Butcher Date: Fri, 20 Nov 2015 09:17:16 -0500 Subject: Replace map with oo_collect to support python-jinja2 <2.7 --- playbooks/common/openshift-etcd/config.yml | 2 +- playbooks/common/openshift-master/config.yml | 8 ++++---- playbooks/common/openshift-node/config.yml | 4 ++-- 3 files changed, 7 insertions(+), 7 deletions(-) (limited to 'playbooks/common/openshift-master') diff --git a/playbooks/common/openshift-etcd/config.yml b/playbooks/common/openshift-etcd/config.yml index ed23ada88..7d94ced2e 100644 --- a/playbooks/common/openshift-etcd/config.yml +++ b/playbooks/common/openshift-etcd/config.yml @@ -24,7 +24,7 @@ - /etc/etcd/ca.crt register: g_etcd_server_cert_stat_result - set_fact: - etcd_server_certs_missing: "{{ g_etcd_server_cert_stat_result.results | map(attribute='stat.exists') + etcd_server_certs_missing: "{{ g_etcd_server_cert_stat_result.results | oo_collect(attribute='stat.exists') | list | intersect([false])}}" etcd_cert_subdir: etcd-{{ openshift.common.hostname }} etcd_cert_config_dir: /etc/etcd diff --git a/playbooks/common/openshift-master/config.yml b/playbooks/common/openshift-master/config.yml index ff1579218..902fde956 100644 --- a/playbooks/common/openshift-master/config.yml +++ b/playbooks/common/openshift-master/config.yml @@ -60,7 +60,7 @@ register: g_external_etcd_cert_stat_result - set_fact: etcd_client_certs_missing: "{{ g_external_etcd_cert_stat_result.results - | map(attribute='stat.exists') + | oo_collect(attribute='stat.exists') | list | intersect([false])}}" etcd_cert_subdir: openshift-master-{{ openshift.common.hostname }} etcd_cert_config_dir: "{{ openshift.common.config_base }}/master" @@ -157,7 +157,7 @@ register: g_master_cert_stat_result - set_fact: master_certs_missing: "{{ False in (g_master_cert_stat_result.results - | map(attribute='stat.exists') + | oo_collect(attribute='stat.exists') | list ) }}" master_cert_subdir: master-{{ openshift.common.hostname }} master_cert_config_dir: "{{ openshift.common.config_base }}/master" @@ -257,11 +257,11 @@ - set_fact: session_auth_secret: "{{ openshift_master_session_auth_secrets | default(session_auth_output.results - | map(attribute='stdout') + | oo_collect(attribute='stdout') | list) }}" session_encryption_secret: "{{ openshift_master_session_encryption_secrets | default(session_encryption_output.results - | map(attribute='stdout') + | oo_collect(attribute='stdout') | list) }}" - name: Parse named certificates diff --git a/playbooks/common/openshift-node/config.yml b/playbooks/common/openshift-node/config.yml index 8da9e231f..2b6171cb3 100644 --- a/playbooks/common/openshift-node/config.yml +++ b/playbooks/common/openshift-node/config.yml @@ -33,7 +33,7 @@ - server.crt register: stat_result - set_fact: - certs_missing: "{{ stat_result.results | map(attribute='stat.exists') + certs_missing: "{{ stat_result.results | oo_collect(attribute='stat.exists') | list | intersect([false])}}" node_subdir: node-{{ openshift.common.hostname }} config_dir: "{{ openshift.common.config_base }}/generated-configs/node-{{ openshift.common.hostname }}" @@ -48,7 +48,7 @@ when: groups.oo_etcd_to_config is defined and groups.oo_etcd_to_config and (openshift.common.use_flannel | bool) - set_fact: etcd_client_flannel_certs_missing: "{{ g_external_etcd_flannel_cert_stat_result.results - | map(attribute='stat.exists') + | oo_collect(attribute='stat.exists') | list | intersect([false])}}" etcd_cert_subdir: openshift-node-{{ openshift.common.hostname }} etcd_cert_config_dir: "{{ openshift.common.config_base }}/node" -- cgit v1.2.3 From 4013fd47fed61ceb0b92cfa4c271b420b4ced66b Mon Sep 17 00:00:00 2001 From: Federico Simoncelli Date: Wed, 25 Nov 2015 14:08:49 +0100 Subject: Make sure that OpenSSL is installed before use Signed-off-by: Federico Simoncelli --- playbooks/common/openshift-master/config.yml | 2 ++ 1 file changed, 2 insertions(+) (limited to 'playbooks/common/openshift-master') diff --git a/playbooks/common/openshift-master/config.yml b/playbooks/common/openshift-master/config.yml index 902fde956..2be25b1e3 100644 --- a/playbooks/common/openshift-master/config.yml +++ b/playbooks/common/openshift-master/config.yml @@ -244,6 +244,8 @@ - fail: msg: "openshift_master_session_auth_secrets and openshift_master_encryption_secrets must be equal length" when: (openshift_master_session_auth_secrets is defined and openshift_master_session_encryption_secrets is defined) and (openshift_master_session_auth_secrets | length != openshift_master_session_encryption_secrets | length) + - name: Install OpenSSL package + action: "{{ansible_pkg_mgr}} pkg=openssl state=present" - name: Generate session authentication key command: /usr/bin/openssl rand -base64 24 register: session_auth_output -- cgit v1.2.3 From 2bfed1383e4d8eed1e0ab3e4c99eecacc5936047 Mon Sep 17 00:00:00 2001 From: Andrew Butcher Date: Wed, 25 Nov 2015 13:22:52 -0500 Subject: Use admin.kubeconfig for get svc ip. --- playbooks/common/openshift-master/config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'playbooks/common/openshift-master') diff --git a/playbooks/common/openshift-master/config.yml b/playbooks/common/openshift-master/config.yml index 902fde956..f8d90374e 100644 --- a/playbooks/common/openshift-master/config.yml +++ b/playbooks/common/openshift-master/config.yml @@ -355,7 +355,7 @@ hosts: oo_first_master tasks: - name: Get master service ip - command: "{{ openshift.common.client_binary }} get -o template svc kubernetes --template=\\{\\{.spec.clusterIP\\}\\}" + command: "{{ openshift.common.client_binary }} -n default --config={{ openshift.common.config_base }}/master/admin.kubeconfig get -o template svc kubernetes --template=\\{\\{.spec.clusterIP\\}\\}" register: master_service_ip_output when: openshift.common.version_greater_than_3_1_or_1_1 | bool - set_fact: -- cgit v1.2.3 From a2dc715e54f47fa2abbac58d9d04565837bc6e56 Mon Sep 17 00:00:00 2001 From: Jason DeTiberus Date: Tue, 24 Nov 2015 10:49:44 -0500 Subject: Set api version for oc commands --- playbooks/common/openshift-master/config.yml | 7 ++++++- roles/openshift_cluster_metrics/tasks/main.yml | 6 +++--- roles/openshift_serviceaccounts/tasks/main.yml | 6 ++++-- 3 files changed, 13 insertions(+), 6 deletions(-) (limited to 'playbooks/common/openshift-master') diff --git a/playbooks/common/openshift-master/config.yml b/playbooks/common/openshift-master/config.yml index 43e7836b3..f382494bd 100644 --- a/playbooks/common/openshift-master/config.yml +++ b/playbooks/common/openshift-master/config.yml @@ -353,11 +353,16 @@ - role: openshift_cluster_metrics when: openshift.common.use_cluster_metrics | bool + # TODO: Setting the cluster dns ip should be pushed into openshift-facts - name: Determine cluster dns ip hosts: oo_first_master tasks: - name: Get master service ip - command: "{{ openshift.common.client_binary }} -n default --config={{ openshift.common.config_base }}/master/admin.kubeconfig get -o template svc kubernetes --template=\\{\\{.spec.clusterIP\\}\\}" + command: > + {{ openshift.common.client_binary }} -n default + --config={{ openshift.common.config_base }}/master/admin.kubeconfig + get -o template svc kubernetes --template=\\{\\{.spec.clusterIP\\}\\} + --output-version=v1 register: master_service_ip_output when: openshift.common.version_greater_than_3_1_or_1_1 | bool - set_fact: diff --git a/roles/openshift_cluster_metrics/tasks/main.yml b/roles/openshift_cluster_metrics/tasks/main.yml index 3938aba4c..9b7735e54 100644 --- a/roles/openshift_cluster_metrics/tasks/main.yml +++ b/roles/openshift_cluster_metrics/tasks/main.yml @@ -7,7 +7,7 @@ - name: Create InfluxDB Services command: > - {{ openshift.common.client_binary }} create -f + {{ openshift.common.client_binary }} create -f /etc/openshift/cluster-metrics/influxdb.yaml register: oex_influxdb_services failed_when: "'already exists' not in oex_influxdb_services.stderr and oex_influxdb_services.rc != 0" @@ -15,14 +15,14 @@ - name: Create Heapster Service Account command: > - {{ openshift.common.client_binary }} create -f + {{ openshift.common.client_binary }} create -f /etc/openshift/cluster-metrics/heapster-serviceaccount.yaml register: oex_heapster_serviceaccount failed_when: "'already exists' not in oex_heapster_serviceaccount.stderr and oex_heapster_serviceaccount.rc != 0" changed_when: false - name: Add cluster-reader role to Heapster - command: > + command: > {{ openshift.common.admin_binary }} policy add-cluster-role-to-user cluster-reader diff --git a/roles/openshift_serviceaccounts/tasks/main.yml b/roles/openshift_serviceaccounts/tasks/main.yml index d93a25a21..e558a83a2 100644 --- a/roles/openshift_serviceaccounts/tasks/main.yml +++ b/roles/openshift_serviceaccounts/tasks/main.yml @@ -13,7 +13,9 @@ changed_when: "'serviceaccounts \"{{ item }}\" already exists' not in _sa_result.stderr and _sa_result.rc == 0" - name: Get current security context constraints - shell: "{{ openshift.common.client_binary }} get scc privileged -o yaml > /tmp/scc.yaml" + shell: > + {{ openshift.common.client_binary }} get scc privileged -o yaml + --output-version=v1 > /tmp/scc.yaml - name: Add security context constraint for {{ item }} lineinfile: @@ -23,4 +25,4 @@ with_items: accounts - name: Apply new scc rules for service accounts - command: "{{ openshift.common.client_binary }} update -f /tmp/scc.yaml" + command: "{{ openshift.common.client_binary }} update -f /tmp/scc.yaml --api-version=v1" -- cgit v1.2.3 From 6a71953ec28a358223a96444ea6ba5b2139becde Mon Sep 17 00:00:00 2001 From: Andrew Butcher Date: Tue, 1 Dec 2015 11:44:13 -0500 Subject: Fix kubernetes service ip gathering. --- playbooks/common/openshift-master/config.yml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) (limited to 'playbooks/common/openshift-master') diff --git a/playbooks/common/openshift-master/config.yml b/playbooks/common/openshift-master/config.yml index f382494bd..1c8a92122 100644 --- a/playbooks/common/openshift-master/config.yml +++ b/playbooks/common/openshift-master/config.yml @@ -358,11 +358,8 @@ hosts: oo_first_master tasks: - name: Get master service ip - command: > - {{ openshift.common.client_binary }} -n default - --config={{ openshift.common.config_base }}/master/admin.kubeconfig - get -o template svc kubernetes --template=\\{\\{.spec.clusterIP\\}\\} - --output-version=v1 + # This command has to be on a single line. + command: "{{ openshift.common.client_binary }} -n default --config={{ openshift.common.config_base }}/master/admin.kubeconfig get -o template svc kubernetes --template=\\{\\{.spec.clusterIP\\}\\} --output-version=v1" register: master_service_ip_output when: openshift.common.version_greater_than_3_1_or_1_1 | bool - set_fact: -- cgit v1.2.3 From 192ccc8e6e6f465351828f32e9dc43b840897b67 Mon Sep 17 00:00:00 2001 From: Andrew Butcher Date: Tue, 1 Dec 2015 16:30:05 -0500 Subject: Refactor dns options and facts. --- inventory/byo/hosts.example | 3 +++ playbooks/common/openshift-cluster/config.yml | 3 --- playbooks/common/openshift-master/config.yml | 16 ---------------- roles/openshift_facts/library/openshift_facts.py | 8 ++++---- roles/openshift_master/tasks/main.yml | 8 +------- roles/openshift_node/tasks/main.yml | 7 +------ roles/openshift_node/templates/node.yaml.v1.j2 | 6 ++++-- 7 files changed, 13 insertions(+), 38 deletions(-) (limited to 'playbooks/common/openshift-master') diff --git a/inventory/byo/hosts.example b/inventory/byo/hosts.example index 1a67cc290..dd8d8f855 100644 --- a/inventory/byo/hosts.example +++ b/inventory/byo/hosts.example @@ -154,6 +154,9 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', # entries for the interfaces attached to the host. #openshift_set_hostname=True +# Configure dnsIP in the node config +#openshift_dns_ip=172.30.0.1 + # host group for masters [masters] ose3-master[1:3]-ansible.test.example.com diff --git a/playbooks/common/openshift-cluster/config.yml b/playbooks/common/openshift-cluster/config.yml index a8bd634d3..482fa8441 100644 --- a/playbooks/common/openshift-cluster/config.yml +++ b/playbooks/common/openshift-cluster/config.yml @@ -6,6 +6,3 @@ - include: ../openshift-master/config.yml - include: ../openshift-node/config.yml - vars: - osn_cluster_dns_domain: "{{ hostvars[groups.oo_first_master.0].openshift.dns.domain }}" - osn_cluster_dns_ip: "{{ hostvars[groups.oo_first_master.0].cluster_dns_ip }}" diff --git a/playbooks/common/openshift-master/config.yml b/playbooks/common/openshift-master/config.yml index 1c8a92122..785a78497 100644 --- a/playbooks/common/openshift-master/config.yml +++ b/playbooks/common/openshift-master/config.yml @@ -353,22 +353,6 @@ - role: openshift_cluster_metrics when: openshift.common.use_cluster_metrics | bool - # TODO: Setting the cluster dns ip should be pushed into openshift-facts -- name: Determine cluster dns ip - hosts: oo_first_master - tasks: - - name: Get master service ip - # This command has to be on a single line. - command: "{{ openshift.common.client_binary }} -n default --config={{ openshift.common.config_base }}/master/admin.kubeconfig get -o template svc kubernetes --template=\\{\\{.spec.clusterIP\\}\\} --output-version=v1" - register: master_service_ip_output - when: openshift.common.version_greater_than_3_1_or_1_1 | bool - - set_fact: - cluster_dns_ip: "{{ hostvars[groups.oo_first_master.0].openshift.dns.ip }}" - when: not openshift.common.version_greater_than_3_1_or_1_1 | bool - - set_fact: - cluster_dns_ip: "{{ master_service_ip_output.stdout }}" - when: openshift.common.version_greater_than_3_1_or_1_1 | bool - - name: Enable cockpit hosts: oo_first_master vars: diff --git a/roles/openshift_facts/library/openshift_facts.py b/roles/openshift_facts/library/openshift_facts.py index b60e42c71..e937b742e 100755 --- a/roles/openshift_facts/library/openshift_facts.py +++ b/roles/openshift_facts/library/openshift_facts.py @@ -528,9 +528,9 @@ def set_aggregate_facts(facts): internal_hostnames.add(facts['common']['hostname']) internal_hostnames.add(facts['common']['ip']) + cluster_domain = facts['common']['dns_domain'] + if 'master' in facts: - # FIXME: not sure why but facts['dns']['domain'] fails - cluster_domain = 'cluster.local' if 'cluster_hostname' in facts['master']: all_hostnames.add(facts['master']['cluster_hostname']) if 'cluster_public_hostname' in facts['master']: @@ -985,7 +985,7 @@ class OpenShiftFacts(object): Raises: OpenShiftFactsUnsupportedRoleError: """ - known_roles = ['common', 'master', 'node', 'master_sdn', 'node_sdn', 'dns', 'etcd'] + known_roles = ['common', 'master', 'node', 'master_sdn', 'node_sdn', 'etcd'] def __init__(self, role, filename, local_facts, additive_facts_to_overwrite=False): self.changed = False @@ -1056,6 +1056,7 @@ class OpenShiftFacts(object): public_hostname=hostname) common['client_binary'] = 'oc' if os.path.isfile('/usr/bin/oc') else 'osc' common['admin_binary'] = 'oadm' if os.path.isfile('/usr/bin/oadm') else 'osadm' + common['dns_domain'] = 'cluster.local' defaults['common'] = common if 'master' in roles: @@ -1076,7 +1077,6 @@ class OpenShiftFacts(object): node = dict(labels={}, annotations={}, portal_net='172.30.0.0/16', iptables_sync_period='5s', set_node_ip=False) defaults['node'] = node - return defaults def guess_host_provider(self): diff --git a/roles/openshift_master/tasks/main.yml b/roles/openshift_master/tasks/main.yml index 2cf2a53c4..5d4ddfca0 100644 --- a/roles/openshift_master/tasks/main.yml +++ b/roles/openshift_master/tasks/main.yml @@ -81,14 +81,8 @@ yum: pkg={{ openshift.common.service_type }}-master{{ openshift_version }} state=present register: install_result -# TODO: These values need to be configurable -- name: Set dns facts +- name: Re-gather package dependent master facts openshift_facts: - role: dns - local_facts: - ip: "{{ openshift_master_cluster_vip | default(openshift.common.ip, true) | default(None) }}" - domain: cluster.local - when: openshift.master.embedded_dns - name: Create config parent directory if it does not exist file: diff --git a/roles/openshift_node/tasks/main.yml b/roles/openshift_node/tasks/main.yml index 42d984a09..1d3ac7c09 100644 --- a/roles/openshift_node/tasks/main.yml +++ b/roles/openshift_node/tasks/main.yml @@ -1,11 +1,5 @@ --- # TODO: allow for overriding default ports where possible -- fail: - msg: This role requres that osn_cluster_dns_domain is set - when: osn_cluster_dns_domain is not defined or not osn_cluster_dns_domain -- fail: - msg: This role requres that osn_cluster_dns_ip is set - when: osn_cluster_dns_ip is not defined or not osn_cluster_dns_ip - fail: msg: "SELinux is disabled, This deployment type requires that SELinux is enabled." when: (not ansible_selinux or ansible_selinux.status != 'enabled') and deployment_type in ['enterprise', 'online', 'atomic-enterprise', 'openshift-enterprise'] @@ -20,6 +14,7 @@ hostname: "{{ openshift_hostname | default(none) }}" public_hostname: "{{ openshift_public_hostname | default(none) }}" deployment_type: "{{ openshift_deployment_type }}" + dns_ip: "{{ openshift_dns_ip | default(openshift_master_cluster_vip | default(None, true), true) }}" - role: node local_facts: annotations: "{{ openshift_node_annotations | default(none) }}" diff --git a/roles/openshift_node/templates/node.yaml.v1.j2 b/roles/openshift_node/templates/node.yaml.v1.j2 index 41a303dee..23bd81f91 100644 --- a/roles/openshift_node/templates/node.yaml.v1.j2 +++ b/roles/openshift_node/templates/node.yaml.v1.j2 @@ -1,7 +1,9 @@ allowDisabledDocker: false apiVersion: v1 -dnsDomain: {{ osn_cluster_dns_domain }} -dnsIP: {{ osn_cluster_dns_ip }} +dnsDomain: {{ openshift.common.dns_domain }} +{% if 'dns_ip' in openshift.common %} +dnsIP: {{ openshift.common.dns_ip }} +{% endif %} dockerConfig: execHandlerName: "" iptablesSyncPeriod: "{{ openshift.node.iptables_sync_period }}" -- cgit v1.2.3 From 04ce758d35666c9f887a9bb1b44ccae1d20ee908 Mon Sep 17 00:00:00 2001 From: enoodle Date: Mon, 23 Nov 2015 17:46:27 +0200 Subject: ManageIQ Service Account: added role for ManageIQ service account Signed-off-by: enoodle --- playbooks/common/openshift-master/config.yml | 2 + roles/openshift_common/tasks/main.yml | 1 + roles/openshift_facts/library/openshift_facts.py | 2 +- roles/openshift_manageiq/tasks/main.yaml | 50 ++++++++++++++++++++++++ roles/openshift_manageiq/vars/main.yml | 24 ++++++++++++ 5 files changed, 78 insertions(+), 1 deletion(-) create mode 100644 roles/openshift_manageiq/tasks/main.yaml create mode 100644 roles/openshift_manageiq/vars/main.yml (limited to 'playbooks/common/openshift-master') diff --git a/playbooks/common/openshift-master/config.yml b/playbooks/common/openshift-master/config.yml index 902fde956..7bdaca2c9 100644 --- a/playbooks/common/openshift-master/config.yml +++ b/playbooks/common/openshift-master/config.yml @@ -350,6 +350,8 @@ - openshift_examples - role: openshift_cluster_metrics when: openshift.common.use_cluster_metrics | bool + - role: openshift_manageiq + when: openshift.common.use_manageiq | bool - name: Determine cluster dns ip hosts: oo_first_master diff --git a/roles/openshift_common/tasks/main.yml b/roles/openshift_common/tasks/main.yml index 55065b3de..c0982290d 100644 --- a/roles/openshift_common/tasks/main.yml +++ b/roles/openshift_common/tasks/main.yml @@ -22,6 +22,7 @@ deployment_type: "{{ openshift_deployment_type }}" use_fluentd: "{{ openshift_use_fluentd | default(None) }}" use_flannel: "{{ openshift_use_flannel | default(None) }}" + use_manageiq: "{{ openshift_use_manageiq | default(None) }}" # For enterprise versions < 3.1 and origin versions < 1.1 we want to set the # hostname by default. diff --git a/roles/openshift_facts/library/openshift_facts.py b/roles/openshift_facts/library/openshift_facts.py index b60e42c71..0100aa54f 100755 --- a/roles/openshift_facts/library/openshift_facts.py +++ b/roles/openshift_facts/library/openshift_facts.py @@ -1053,7 +1053,7 @@ class OpenShiftFacts(object): common = dict(use_openshift_sdn=True, ip=ip_addr, public_ip=ip_addr, deployment_type='origin', hostname=hostname, - public_hostname=hostname) + public_hostname=hostname, use_manageiq=False) common['client_binary'] = 'oc' if os.path.isfile('/usr/bin/oc') else 'osc' common['admin_binary'] = 'oadm' if os.path.isfile('/usr/bin/oadm') else 'osadm' defaults['common'] = common diff --git a/roles/openshift_manageiq/tasks/main.yaml b/roles/openshift_manageiq/tasks/main.yaml new file mode 100644 index 000000000..2d3187e21 --- /dev/null +++ b/roles/openshift_manageiq/tasks/main.yaml @@ -0,0 +1,50 @@ +--- +- name: Copy Configuration to temporary conf + command: > + cp {{ openshift.common.config_base }}/master/admin.kubeconfig {{manage_iq_tmp_conf}} + changed_when: false + +- name: Add Managment Infrastructure project + command: > + {{ openshift.common.admin_binary }} new-project + management-infra + --description="Management Infrastructure" + --config={{manage_iq_tmp_conf}} + register: osmiq_create_mi_project + failed_when: "'already exists' not in osmiq_create_mi_project.stderr and osmiq_create_mi_project.rc != 0" + changed_when: osmiq_create_mi_project.rc == 0 + +- name: Create Service Account + shell: > + echo {{ manageiq_service_account | to_json | quote }} | + {{ openshift.common.client_binary }} create + -n management-infra + --config={{manage_iq_tmp_conf}} + -f - + register: osmiq_create_service_account + failed_when: "'already exists' not in osmiq_create_service_account.stderr and osmiq_create_service_account.rc != 0" + changed_when: osmiq_create_service_account.rc == 0 + +- name: Create Cluster Role + shell: > + echo {{ manageiq_cluster_role | to_json | quote }} | + {{ openshift.common.client_binary }} create + --config={{manage_iq_tmp_conf}} + -f - + register: osmiq_create_cluster_role + failed_when: "'already exists' not in osmiq_create_cluster_role.stderr and osmiq_create_cluster_role.rc != 0" + changed_when: osmiq_create_cluster_role.rc == 0 + +- name: Configure role/user permissions + command: > + {{ openshift.common.admin_binary }} {{item}} + --config={{manage_iq_tmp_conf}} + with_items: "{{manage_iq_tasks}}" + register: osmiq_perm_task + failed_when: "'already exists' not in osmiq_perm_task.stderr and osmiq_perm_task.rc != 0" + changed_when: osmiq_perm_task.rc == 0 + +- name: Clean temporary configuration file + command: > + rm -f {{manage_iq_tmp_conf}} + changed_when: false diff --git a/roles/openshift_manageiq/vars/main.yml b/roles/openshift_manageiq/vars/main.yml new file mode 100644 index 000000000..77e1c304b --- /dev/null +++ b/roles/openshift_manageiq/vars/main.yml @@ -0,0 +1,24 @@ +manageiq_cluster_role: + apiVersion: v1 + kind: ClusterRole + metadata: + name: management-infra-admin + rules: + - resources: + - pods/proxy + verbs: + - '*' + +manageiq_service_account: + apiVersion: v1 + kind: ServiceAccount + metadata: + name: management-admin + +manage_iq_tmp_conf: /tmp/manageiq_admin.kubeconfig + +manage_iq_tasks: + - policy add-role-to-user -n management-infra admin -z management-admin + - policy add-role-to-user -n management-infra management-infra-admin -z management-admin + - policy add-cluster-role-to-user cluster-reader system:serviceaccount:management-infra:management-admin + - policy add-scc-to-user privileged system:serviceaccount:management-infra:management-admin -- cgit v1.2.3 From dd17fd49597ec27f66ff9436f211036125dbb08f Mon Sep 17 00:00:00 2001 From: Andrew Butcher Date: Wed, 9 Dec 2015 12:08:56 -0500 Subject: Simplify session secrets overrides. --- playbooks/common/openshift-master/config.yml | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) (limited to 'playbooks/common/openshift-master') diff --git a/playbooks/common/openshift-master/config.yml b/playbooks/common/openshift-master/config.yml index becd68dbe..196cdc8fe 100644 --- a/playbooks/common/openshift-master/config.yml +++ b/playbooks/common/openshift-master/config.yml @@ -249,22 +249,14 @@ - name: Generate session authentication key command: /usr/bin/openssl rand -base64 24 register: session_auth_output - with_sequence: count=1 when: openshift_master_session_auth_secrets is undefined - name: Generate session encryption key command: /usr/bin/openssl rand -base64 24 register: session_encryption_output - with_sequence: count=1 when: openshift_master_session_encryption_secrets is undefined - set_fact: - session_auth_secret: "{{ openshift_master_session_auth_secrets - | default(session_auth_output.results - | oo_collect(attribute='stdout') - | list) }}" - session_encryption_secret: "{{ openshift_master_session_encryption_secrets - | default(session_encryption_output.results - | oo_collect(attribute='stdout') - | list) }}" + session_auth_secret: "{{ openshift_master_session_auth_secrets | default([session_auth_output.stdout]) }}" + session_encryption_secret: "{{ openshift_master_session_encryption_secrets | default([session_encryption_output.stdout]) }}" - name: Parse named certificates hosts: localhost -- cgit v1.2.3